[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting LDAP and SASL (digest-md5) to play nice



Rick Stevens wrote:
So, SASL is happy with an entry in the sasldb, but obviously that DN
isn't in the LDAP database.  So, I added an authz-regexp:

	authz-regexp
	        uid=([^,]*),cn=[^,]*,cn=auth
	        uid=$1,ou=people,ou=People,dc=gbsbilling,dc=com

Now, ldapwhoami gives me:

[root@prophead ~]# ldapwhoami -w unix__gort
SASL/DIGEST-MD5 authentication started
SASL username: root
SASL SSF: 128
SASL installing layers
dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com
Result: Success (0)

Isn't that grand! That's what I want (I think),

Is that really what you think? Look closely.

> dn:uid=root,ou=people,ou=people,dc=gbsbilling,dc=com

but it requires
me to put an entry in the sasldb and I don't think that's necessary
from what I gather from the docs.  However, without it, I can't
authenticate at all, and therefore can't even get to LDAP.

That being said, even that doesn't appear to be enough as I have an
access rule:

	access to attrs=userPassword
	        by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write

And again, look closely.

> 	        by dn="uid=root,ou=people,dc=gbsbilling,dc=com" write


	        by dn="cn=manager,dc=gbsbilling,dc=com" write
	        by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
	        by anonymous auth
	        by self write
	        by * none

Pay attention to what you're doing.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/